SR-B56328 · Issue 312168
RARO rules more secure against deletion
Resolved in Pega Version 7.3.1
In order to make RARO rules more secure, the system has been updated such that Class Permissions can't be deleted from the role unless the operator has permission and is operating in a valid context (unlocked ruleset). This has been done by revising the Role rule form to disable the delete button when RARO/RADO is in a locked ruleset.
SR-B57046 · Issue 314358
Parameters removed from on-screen error messages to protect sensitive data
Resolved in Pega Version 7.3.1
It was discovered that sensitive information such as account numbers used as parameters were being displayed in exception error messages displayed on the screen. Including the parameters as part of the error is intended to aid in debugging the problem, but these parameters do not need to be displayed in the UI. In order to protect potentially sensitive data, parameter values have been removed from the exception message. When the DeclarativePageDirectoryImpl logger is enabled, the parameters will be entered into the Pega log files and not shown on screen.
SR-B67143 · Issue 316168
Proxy configurations made available to OAuth2 and other clients
Resolved in Pega Version 7.3.1
Setting up Proxy for the REST Connector was not working when using OAuth2. When using OAuth2 authorization for Connector features including REST Connectors, the com.pega.pegarules.integration.engine.internal.client.oauth2.OAuth2ClientImpl class is used for connections to the OAuth2 Provider for interactions such as fetching authorization tokens. However, OAuth2ClientImpl does not have the required code for "picking up" the JVM-level proxy settings and applying them to the HTTP Client it uses, so the HTTP calls to the OAuth2 provider were always bypassing the configured HTTP proxy. In order to resolve this and enhance future use, the code in the RESTConnector module that allows REST Connectors to use HTTP Proxies has been extracted out into the "HTTPClientUtils" module so that it can be used by any consumer to apply the system's Proxy configuration to any instance of PegaRESTClient. OAuth2ClientImpl has been updated to call this during HTTP client setup, prior to making the request for data from OAuth2 Providers, and RESTConnnector has been updated to call this new implementation to replace the universal Proxy code that was refactored out of it.
SR-B66204 · Issue 316885
XSS sanitizing added to clientID field
Resolved in Pega Version 7.3.1
During the time of construction of a ServiceRequest in the engine , the clientID field will be sanitized with the StringUtils.crossScriptFiltering API to avoid XSS attacks.
SR-B75677 · Issue 326354
Password set removed from Lock and Roll tool
Resolved in Pega Version 7.3.1
The way the Lock and Roll tool set passwords was confusing and often caused a new application to be created with the wrong password, preventing updating the new rule or even requiring administrators to manually create the application rules. To resolve this, pzLPLockAndRollApplication has been changed to remove the setting of pySetPassword and pySetPasswordConfirmText so the values will be empty for the new version.
SR-B56648 · Issue 315674
Added security check when running out-of-the-box reports with ShowSelectorView
Resolved in Pega Version 7.3.1
A security issue was found where non-authorized users were able to access the out-of-the-box report details in their portal by manipulating the URL to pass a "short-cut" parameter that executed the Final "ShowSelectorView" activity. To avoid the need to set the explicit privileges manually, the ShowSelectorView activity will call a security check to prevent this.
SR-D23239 · Issue 499591
Support added for multi-operator SAML logins
Resolved in Pega Version 8.4
When a SAML user logged in by Single Sign-On (SAML), the system processed the login to portal as a different operator if there was a function on the Attribute field under Operator identification in the SAML authentication service. In this scenario, using an expression for operator provisioning did not work because all SAML login sessions resolved to same first operator due to parseAndEvaluateExpression() in ExpressionHelper.java ignoring new expression arguments if the expression page already existed. To support the use of multiple operator logins in this format, the system has been updated to clone a new expression page for every session and update it with the correct expression arguments.
SR-D31734 · Issue 515657
XSS protection added for parameter page properties
Resolved in Pega Version 8.4
An XSS vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.
SR-D47685 · Issue 514647
Cookie logging restored
Resolved in Pega Version 8.4
As part of security updates, Cookies were restricted from being logged. However, this caused some business use cases such as a custom function call to obtain the list of cookies that are present in the application to stop working. To resolve this, the cookie logging restriction has been reverted.
SR-D31734 · Issue 515656
Cross-site scripting protection added for parameter page properties
Resolved in Pega Version 8.2.6
An Cross-site scripting vulnerability was seen with the Edge browser when run on visibility on client check was enabled with dynamic layouts and some properties were accessed from parameter page. Because run on visibility on client check is not required in this scenario, is has been removed and the values will be accessed from the server instead.